| Commit message (Collapse) | Author | Age |
|
|
|
| |
follow-up to fdee4dc1326bb2d5ce90ef2a0410dccba56beb70
|
| |
|
|
|
|
| |
remove all duplicate entries
|
|\
| |
| | |
whitelist restructuring
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Check mountids while creating path of a new mount target.
If the mountid differs from the top level directory (tmpfs)
mountid, this proves an earlier whitelist command.
It is important to note though that this check is not exhaustive,
as besides nested whitelist commands there are also nested
top level directories. So a user could run:
firejail --whitelist=/a/b --whitelist=/a/b/c where both
a and b are (whitelist) top level directories. Such a command
may result in b and c sharing the filesystem and hence mountid.
In this case the nested nature of the whitelist commands
will go unnoticed.
A more rigorous version will probably need to apply some
sorting to the whitelist command, possibly by means of
glob(3).
|
| |
| |
| |
| | |
some cleanup, simplify extending the code (for example adding additional members to the TopDir struct)
|
| |
| |
| |
| |
| |
| |
| | |
as functions operate on a file descriptor
it should be safe to remove them; this
sets the stage for improvements to the
whitelist code
|
|\ \
| | |
| | | |
Add ability to disable user profiles at compile time.
|
| | | |
|
| | | |
|
| | | |
|
| |/
|/|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* add opera-developer to firecfg
* add opera-developer
* fix typo
* add configs for opera-developer
* Create opera-developer.profile
* fixes for opera-developer
* fix for opera-developer
|
| | |
|
| | |
|
| | |
|
|/
|
|
|
|
|
| |
* Create onionshare.profile
* Create onionshare-cli.profile
* add onionshare redirects to firecfg.config
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Added on commit 7abce0b4c ("Fix keeping certain groups with nogroups",
2021-11-30) / PR #4732.
As reported by @rusty-snake on #4930, conflicting messages are printed
when using whitelist-run-common.inc with nogroups:
$ cat test.profile
include whitelist-run-common.inc
nogroups
$ firejail --profile=./test.profile groups
Reading profile ./test.profile
Reading profile /etc/firejail/whitelist-run-common.inc
Parent pid 1234, child pid 1235
Warning: logind not detected, nogroups command ignored <--- is a lie
Warning: cleaning all supplementary groups
Child process initialized in 30.00 ms
rusty-snake <---- running `groups` outside of the sandbox shows more so groups are actually cleaned
Parent is shutting down, bye...
This probably happens because wrc causes /run/systemd to be hidden in
the sandbox and because check_can_drop_all_groups is called multiple
times, seemingly both before and after the whitelisting goes into
effect. So disable the message about nogroups being ignored, but keep
the message about cleaning all supplementary groups (which is unlikely
to be printed unless it really happens).
Fixes #4930.
|
| |
|
|
|
|
| |
regressed in c764520b5aa343c00c3a73633511df039645973c
|
| |
|
| |
|
| |
|
| |
|
|\
| |
| | |
Seafile
|
| | |
|
|\ \
| | |
| | | |
add a profile for cointop
|
| | | |
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | | |
there are two build options, should clean up both
follow-up to commit a6283fd7873a4f1dffb0730a968406d52545c73a
|
|\ \ \ |
|
| | | | |
|
| | | | |
|
|/ / / |
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | | |
This amends commit ac6c8c038 ("fix #4078", 2022-01-21).
Fixes #4078.
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
|/ / |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|